Reasons no to use TSIG?

David Botham DBotham at OptimusSolutions.com
Wed Oct 6 15:43:00 UTC 2004


bind-users-bounce at isc.org wrote on 10/06/2004 06:59:09 AM:
> Hello everyone,
> 
> I am exploring the possibilities TSIG offers; for the environment I work
> in TSIG seems fine, since it is easy to set up and offers a reasonable 
degree
> of security from employees doing zone transfers or hammering my machines
> with recursive queries.
> 
> And since I am about to use TSIG as widely as possible, I would like to 
know
> if there are any reasons not to use TSIG.
> 
> I can think of just one: TSIG cannot be used to verify zone-content the 
way DNSSEC
> can. Also, regular queries don't get covered by this.

I do not consider the fact that TSIG can't verify zone content a check in 
the minus column.  There are a great number of things that TSIG does not 
do by design.  Verifying zone content is one of them.  Others are (in no 
particular order):

Making coffee
Tying my shoes
Negotiate SSL connections
etc...
:)

TSIG does a great job at what it is designed to do (imho).

However, if you are interested in interoperation in a Windows environment 
for DDNS updates, you may want to look at this:

http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cncf/cncf_imp_eqjg.asp

Specifically, skip to the seciton on "DNS Standards for Secure Dynamic 
Update".


hth,


Dave...


> 
> But otherwise?
> (In case it matters, we currently have a test setup where TSIG is used 
for
> "allow-transfer {}" and "allow-notify {}".)
> 
> Benjamin Walkenhorst
> 




More information about the bind-users mailing list